risk

package
v1.6.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 9, 2024 License: Apache-2.0 Imports: 4 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var CriticalRoleMap = map[string]bool{
	"admin":                       true,
	"cluster-admin":               true,
	"edit":                        true,
	"kindnet":                     true,
	"kubeadm:get-nodes":           true,
	"local-path-provisioner-role": true,
	"system:aggregate-to-admin":   true,
	"system:aggregate-to-edit":    true,
	"system:aggregate-to-view":    true,
	"system:certificates.k8s.io:certificatesigningrequests:nodeclient":     true,
	"system:certificates.k8s.io:certificatesigningrequests:selfnodeclient": true,
	"system:certificates.k8s.io:kube-apiserver-client-approver":            true,
	"system:certificates.k8s.io:kube-apiserver-client-kubelet-approver":    true,
	"system:certificates.k8s.io:kubelet-serving-approver":                  true,
	"system:certificates.k8s.io:legacy-unknown-approver":                   true,
	"system:controller:attachdetach-controller":                            true,
	"system:controller:bootstrap-signer":                                   true,
	"system:controller:certificate-controller":                             true,
	"system:controller:clusterrole-aggregation-controller":                 true,
	"system:controller:cronjob-controller":                                 true,
	"system:controller:daemon-set-controller":                              true,
	"system:controller:deployment-controller":                              true,
	"system:controller:disruption-controller":                              true,
	"system:controller:endpoint-controller":                                true,
	"system:controller:endpointslice-controller":                           true,
	"system:controller:endpointslicemirroring-controller":                  true,
	"system:controller:ephemeral-volume-controller":                        true,
	"system:controller:expand-controller":                                  true,
	"system:controller:generic-garbage-collector":                          true,
	"system:controller:horizontal-pod-autoscaler":                          true,
	"system:controller:job-controller":                                     true,
	"system:controller:namespace-controller":                               true,
	"system:controller:node-controller":                                    true,
	"system:controller:persistent-volume-binder":                           true,
	"system:controller:pod-garbage-collector":                              true,
	"system:controller:pv-protection-controller":                           true,
	"system:controller:pvc-protection-controller":                          true,
	"system:controller:replicaset-controller":                              true,
	"system:controller:replication-controller":                             true,
	"system:controller:resourcequota-controller":                           true,
	"system:controller:root-ca-cert-publisher":                             true,
	"system:controller:route-controller":                                   true,
	"system:controller:service-account-controller":                         true,
	"system:controller:service-controller":                                 true,
	"system:controller:statefulset-controller":                             true,
	"system:controller:token-cleaner":                                      true,
	"system:controller:ttl-after-finished-controller":                      true,
	"system:controller:ttl-controller":                                     true,
	"system:coredns":                                                       true,
	"system:heapster":                                                      true,
	"system:kube-aggregator":                                               true,
	"system:kube-controller-manager":                                       true,
	"system:kube-dns":                                                      true,
	"system:kube-scheduler":                                                true,
	"system:kubelet-api-admin":                                             true,
	"system:monitoring":                                                    true,
	"system:node-bootstrapper":                                             true,
	"system:node-problem-detector":                                         true,
	"system:node-proxier":                                                  true,
	"system:persistent-volume-provisioner":                                 true,
	"system:public-info-viewer":                                            true,
	"system:service-account-issuer-discovery":                              true,
	"system:volume-scheduler":                                              true,
	"view":                                                                 true,
}

Functions

This section is empty.

Types

type RiskEngine

type RiskEngine struct {
	// contains filtered or unexported fields
}

RiskEngine computes which assets are deemed critical based on a set of pre-configured rules.

func Engine

func Engine() *RiskEngine

Engine returns the risk engine singleton instance.

func (*RiskEngine) IsCritical

func (ra *RiskEngine) IsCritical(model any) bool

IsCritical reports whether the provided asset should be marked as critical. The function expects a single store model input and currently only supports Roles.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL